CVE-2024-26016

Apache Superset: Improper authorization validation on dashboards and charts import

CVSS 4.3 MEDIUMEPSS 0.9%CWE-863

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

28 Feb 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

Apache Software Foundation · Apache Superset

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s http://www.openwall.com/lists/oss-security/2024/02/28/7